Re: filter-a and dns64 in a ipv6-only network
Am 01.02.23 um 16:12 schrieb Bjørn Mork: This sort of "works" for me (although very broken by design, as already noted): Thank you for providing a work around and testing it. I am still not convinced that the filter-a harms less when a real is provided instead of the synthesized. It breaks dnssec anyway. Regards, Thomas -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: filter-a and dns64 in a ipv6-only network
Thank you for your answers. Of course dns64 breaks dnssec, like any other manipulation of dns resource records. But it doesn't mean that filtering A records breaks dns64, it still only breaks dnssec. So filtering A records and dnssec is mutually exclusive. I know almost all popular dual stack methods. e.g. pure dual stack ( at work since 2005) ds-lite ( very common in Germany for private users, personally since 2018) 464xlat - used here at mobile by DTAG and WiFi at work After two decades of dual stack my approach is to see an end of the migration. That means single stack IPv6. One element of it is DNS64 with NAT64. Another element maybe filtering A records, so clat can be removed. ( clat was originally invented for very very old ip stacks/apps - 10 years ago) Other people have recently introduced a third way between dual stack and ipv6 only called "ipv6 mostly"( RFC 8925) That is two steps forward and one backward. Nevertheless the goal is: IPv6 single stack. I have learned bind/isc is not willing to support such (test) scenarios. Thanks for the conversation. Thomas -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: filter-a and dns64 in a ipv6-only network
Am Dienstag, 31. Januar 2023, 20:03:42 CET schrieb Marco: > > Why would it make sense to block them? Avoiding wrong decisions by "happy eyeballs" - probably the same rare reasons why isc introduced the filter yeas ago - in theory there is no reason to block nor A. But blocking A depending on the existence of makes no sense at all. (as bind at moment is doing) > > > You seem to have this strange notion that to run an IPv6-only node > > > or network that you need to filter out A records. > > > > It isn't more strange than filtering records in old IPv4 only > > networks. That filter is ironically implemented by the isc - despite > > there is no serious RFC for that. > > I don't see a reason for filtering at all. What is the benefit of that? wrong ipv6/ipv4 preference/selections by apps > > > The purpose of the A record filter is to correct the behavior of apps > > which don't respect IPv6 RFCs regarding the preference of IPv6 over > > IPv4. > > Best would be to fix these "apps". > If the computer does not have an IPv4 address, the A records are > useless, it can't use them and needs to connect via IPv6. It would be of course - but reality is - apps, even the defaults in some programming languages like java are still wrong. https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/doc-files/net-properties.html > Why don't they work if they can't connect using IPv4? > Which apps are affected? e.g. gpsprune under linux: LANG=C java -jar gpsprune_22.2.jar IOE: java.net.SocketException - Network is unreachable IOE: java.net.SocketException - Network is unreachable IOE: java.net.SocketException - Network is unreachable IOE: java.net.SocketException - Network is unreachable IOE: java.net.SocketException - Network is unreachable IOE: java.net.SocketException - Network is unreachable IOE: java.net.SocketException - Network is unreachable IOE: java.net.SocketException - Network is unreachable They don't load the cards. I have to set manually the environment for the(each wrong) java app: java -Djava.net.preferIPv6Addresses=true or I have to ensure clatd is running - which is not my understanding of ipv6 only. or I have to remove the A record, independent of the fact if the record is real or synthesized . Thomas -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: filter-a and dns64 in a ipv6-only network
Am Montag, 30. Januar 2023, 23:12:53 CET schrieb Mark Andrews: > Do you want a correctly operating DNS64 server or do you want to filter > all A records? They are mutually exclusive requirements. Please read > RFC 6147 to understand why they are mutually exclusive. That's simply not true. RFC 6147 is about synthesizing records based on A records. It says nothing about blocking A records afterwards. > You seem to have this strange notion that to run an IPv6-only node or > network that you need to filter out A records. It isn't more strange than filtering records in old IPv4 only networks. That filter is ironically implemented by the isc - despite there is no serious RFC for that. The purpose of the A record filter is to correct the behavior of apps which don't respect IPv6 RFCs regarding the preference of IPv6 over IPv4. > Could you tell me who or > what told you this was required? Thank you for the personal attack within the first contact. I am old (enough) - I can speak for myself. I am an experienced user of different IPv6 only networks. e.g daily at eduroam-IPv6only, a big Wifi network administrated by the Leibniz Supercomputinger Centre in Munich, daily at the IPv6-only mobile network(4g/5g) by Deutsche Telekom, once a year at the RIPE conference WiFi I am the admin of my home/test lab with: tayga, jool, unbound (filters a, does dns64) , dnsmasq (can filter a, but can't do dns64 ) I know that clat is a solution for *some* very old apps, usually on smartphones and recently also on macs. Nevertheless Windows doesn't use clat in wireless/wired LANs. I want to get rid of clat - aka 464xlat. ( clat was not invented for eternity) Even linux has no default clat installation on many distributions. My experience until now: the a record filter doesn't break anything, but it make some apps working without clat - so at least some windows and linux apps. Now I am testing the usefulness of bind. In the recent state it isn't useful. Regards Thomas Schäfer -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
filter-a and dns64 in a ipv6-only network
Hi,
I use tumbleweed for testing, since compiling bind is hard(at least for me).
bind version: 9.18.11
options {
dns64 64:ff9b::/96 {
clients { any; };
recursive-only yes;
mapped { !10/8; any; };
};
};
plugin query "filter-a.so" {
filter-a-on-v6 break-dnssec;
filter-a-on-v4 break-dnssec;
filter-a { ::/0 ; };
};
My test setup is intended to be ipv6-only. Please don't try to convince me,
that clat would be better.
(https://lists.isc.org/mailman/htdig/bind-users/2022-March/105826.html) I
don't want IPv4 at all.
The first line of the man page says:
"filter-a - filter A in DNS responses when is present"
and here starts my problem: dns64 generates an -Record, but the plugin
filter-a expects an real -response. In the end a isn't filtered.
Example with real -record
host ct.de ::1
Using domain server:
Name: ::1
Address: ::1#53
Aliases:
ct.de has IPv6 address 2a02:2e0:3fe:1001:302::
ct.de mail is handled by 50 secondarymx.heise.de.
ct.de mail is handled by 10 relay.heise.de.
Example with synthesized -record
host sz.de ::1
Using domain server:
Name: ::1
Address: ::1#53
Aliases:
sz.de has address 195.50.177.61
sz.de has IPv6 address 64:ff9b::c332:b13d
sz.de has IPv6 address 64:ff9b::c332:b13d
sz.de mail is handled by 50 sz-de.mail.protection.outlook.com.
How can I achieve to remove a-records at any time?
Regards,
Thomas
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
